ZIFFPAGE TITLEStep NoBy John Moore | Posted 2006-05-15 Email Print
New threats to your computer infrastructure emerge every day. Baseline's Security Survival Guide provides tips and techniques to help you safeguard your organization.. 4: Dealing With Corporate Management">
Step No. 4: Dealing With Corporate Management
Discernment is crucial in deciding when and how to inform the powers that be. Top executives need to be in the security loop, but the sky will fall on the security officer who issues one too many false alarms.
Don't Cry Wolf
"Your false alarm rate to business people has to be low," says Barry Miracle, global security practice leader at BearingPoint. If a security shop warns erroneously more than twice a year, "no one will respond to the next one."
The experience and intuition of the security manager plays a major role, according to security experts. "A lot of it is judgment," says Morrow, the chief security and privacy officer for Electronic Data Systems Corp., "and knowing what is of interest to senior executives and what's not."
The University of Georgia's triage team always assesses the scope and severity of an incident before contacting higher-ups, notes Gatewood, the university's chief information security officer. "If it's someone spamming us or sending out spyware, that's not making the 6 o'clock news," he says.
M&T Bank ranks incident severity on a 1-to-4 scale, with Level 1 deemed the most critical. A Level 1 incident must involve at least one of the following: unauthorized disclosure, modification, destruction or deletion of sensitive information or data; disruption of business continuity and critical business processes or communication; an impact on the long-term public perception of the organization; or identity theft of an individual or group.
In response to a Level 1 incident, the manager of the resources involved is instructed to cease use of the resources until the bank's incident response coordinator makes contact and provides further instruction.
At New York Presbyterian Hospital, the priority of an incident rises as a particular segment of a network becomes sluggish, and then escalates up to the point where there is a complete disruption of service, which "has to be reported," says information security officer Sengupta. At the health-care facility, he adds, any incident that could potentially affect patient care must be communicated upward as well.
"Incidents all get reported," Sengupta sums up broadly, "but not at the level of individual viruses and not every day."
For Giambruno, director of engineering and security at Pitney Bowes, context counts. An attack involving one application may sound small, he says, but if that application is a key enterprise system that impacts many people, it may become a need-to-know incident.
Incidents judged not to rate the C-level executives' immediate attention are periodically summarized and presented to them in a group.
Guerrino, head of information security at the Bank of New York, provides his incident summary to a board-level committee of senior executives every six months. The summary includes the number of incidents by category, including unauthorized access, disclosure, usage, or destruction; loss or theft of information or equipment containing information; service disruptions; and copyright or trademark infringements. Incidents are further classified by impact and severity.
Don't Ask for Money
There's one form of communication with executives that security managers try to avoid at all costs: Emergency requests for money to handle a computer security incident. To avoid such requests, some enterprise security groups negotiate terms with a pre-approved list of vendors on standby to help manage an incident, Miracle says. Contracts with pre-approved vendors stipulate rates in advance.
A company might have an arrangement with a forensics specialty firm, for example. Miracle says these support pacts don't necessarily involve huge sums of money. A forensics firm may dispatch one or two investigators who work for perhaps two to six weeks and produce a written report.
Bank of New York contracts with a forensics specialist that gives the bank the option to call on the company for a specified number of hours of work per year, Guerrino says. If the bank exceeds the number of hours specified in the contract, there's an agreed-upon rate increase.
To ensure reasonably smooth communication in a crisis, security groups need to open a channel of communication with management. Having an established foundation for dialogue is crucial to the security officer's effectiveness even in the normal course of business, and more so in an emergency, security experts say. For example, Gatewood reports to the University of Georgia's chief information officer, who sits with the executive team.
"I'm brought to the table to explain things to them," Gatewood says. "I can e-mail them, call them, and brief them without having to have special permission. A lot of my peers say, 'I don't have that relationship with the executive management team.'"
Security experts tout a close relationship with the top brass as critical for maintaining a healthy security budget and a corporate culture that values security.
Miracle notes tremendous turnover among chief information security officers; he cites former security officers he knows who insist they won't take that assignment again.
But some security officers have established solid executive-level ties. Morrow, who reports to EDS' executive vice president of risk management, feels fortunate to work with an executive team that is very conscious of security issues.
"They are willing to take my calls and are interested and concerned when there is an issue," he says. "Many of my colleagues find it difficult to get senior executives' ear. They get the shoulder shrug."
Gatewood lists several reasons why C-level executives may ignore the chief information security officer, including lack of trust in the individual and a perception that security manages are "inhibitors or disablers."
Regulatory compliance issues have pulled at least some senior executives into the information-technology security camp. Sarbanes-Oxley, which demands documented risk-management processes, has forged "a much closer relationship between the chief financial officer and the security team today than ... there ever was before," says Payne, the president and chief operating officer of iDefense Security Intelligence Services. He says CFOs have familiarized themselves with the security group's processes and systems and have invested considerably in technology to address risk issues related to I.T. security. "[Sarbanes-Oxley] has been good for the security industry," Payne contends. "Controls and processes that make good sense are now mandated by regulations, and those regulations have teeth."
Security managers, for their part, have been working to build closer links not just to executive management, but to all levels of an organization.
Hanson, the manager of I.T. security at Quad/Graphics, lists good communications and partnerships within the business as the biggest boons to a successful security strategy. He said his group has liaisons working with the company's technology and software development team and also maintains contacts in key business units and subsidiaries. He says the security group's outreach could be as simple as bouncing ideas for new security policies or technologies off business-unit representatives. The group may also provide assistance in implementing a security system.
"Most of my team spends most of its time outside of security working with the different organizations," Giambruno notes. For example, they might discuss a particular security development with Pitney Bowes' application development team.
Collaboration between the application and security groups means that security controls are embedded in software from the beginning, as opposed to being retrofitted after development.
The corporate legal department and public affairs shop are two other groups beyond the C-level that might be notified about incidents, says Lawson, the director of global services at Acumen Solutions.
The corporate groups, in turn, will likely have advice for the security team. The University of Georgia maintains a security advisory council with representatives from the human-resources, legal, internal audit and public affairs departments. The university's chief information officer also serves on the council, which offers guidance on security policies and standards, and acts in an advisory capacity during an incident, Gatewood says.
Tone is important in building cooperation between security and other business units. "It's not, 'The sky is falling,'" Giambruno says. "We are good at getting people's attention in a positive way." Giambruno prefers to share information on security issues and explain to the application development team or the information-technology infrastructure team, for example, how those issues may affect them.
"Security has this negative connotation that surrounds it," Hanson says, noting corporate security groups at some companies have a "Big Brother" image. He says his group tries to build consensus rather than dictate security directives. "We want the business to see the security team not as a roadblock, but as a security-minded business partner," he says.
Gatewood says the university environment, in particular, demands communication and consensus building, because "higher education is very slow to change. It's extremely difficult to turn that ship around, if they don't want to be turned around. What I've done here is try to foster and build relationships with students, faculty and staff." Earlier in his career, Gatewood worked with the U.S. Air Force, where security was much easier to enforce. The brass on one's shoulder, he says, determined how many people would listen.
"The chief security officer needs to be more of a business-minded leader and strategist," Gatewood says. He adds that it is incumbent on security managers to rely on metrics-the percentage of total systems with a current security plan, for example-to make the case for security.
"It is all about getting to the ... budget table ... early and bring the right skill set, tools, communications and strategy," Gatewood explains. "If the folks who make the budget decisions speak numbers, mission and bottom line, then you must speak numbers, mission and bottom line. You must show them that their business objectives cannot be attained without security."
But apocalyptic scenarios and tales of past disasters fail to impress business leaders. "Telling war stories doesn't work anymore," Gatewood says.